community.general.ipa_getkeytab module – Manage keytab file in FreeIPA
Note
This module is part of the community.general collection (version 9.5.1).
You might already have this collection installed if you are using the ansible
package.
It is not included in ansible-core
.
To check whether it is installed, run ansible-galaxy collection list
.
To install it, use: ansible-galaxy collection install community.general
.
You need further requirements to be able to use this module,
see Requirements for details.
To use it in a playbook, specify: community.general.ipa_getkeytab
.
New in community.general 9.5.0
Synopsis
Manage keytab file with
ipa-getkeytab
utility.See https://manpages.ubuntu.com/manpages/jammy/man1/ipa-getkeytab.1.html for reference.
Requirements
The below requirements are needed on the host that executes this module.
freeipa-client
Managed host is FreeIPA client
Parameters
Parameter |
Comments |
---|---|
The LDAP DN to bind as when retrieving a keytab without Kerberos credentials. Generally used with the |
|
The LDAP password to use when not binding with Kerberos. |
|
The path to the IPA CA certificate used to validate LDAPS/STARTTLS connections. |
|
The list of encryption types to use to generate keys. It will use local client defaults if not provided. Valid values depend on the Kerberos library version and configuration. |
|
Force recreation if exists already. Choices:
|
|
The IPA server to retrieve the keytab from (FQDN). |
|
LDAP URI. If Can not be used with the |
|
Use this password for the key instead of one randomly generated. |
|
The base path where to put generated keytab file. |
|
The non-realm part of the full principal name. |
|
Retrieve an existing key from the server instead of generating a new one. This is incompatible with the The user requesting the keytab must have access to the keys for this operation to succeed. Be aware that if set This invalidates all previously retrieved keytabs for this service principal. Choices:
|
|
The state of the keytab file.
Choices:
|
Attributes
Attribute |
Support |
Description |
---|---|---|
Support: full |
Can run in |
|
Support: none |
Will return details on what has changed (or possibly needs changing in |
Examples
- name: Get kerberos ticket
ansible.builtin.shell: kinit admin
args:
stdin: "{{ aldpro_admin_password }}"
changed_when: true
- name: Create keytab
community.general.ipa_getkeytab:
path: /etc/ipa/test.keytab
principal: HTTP/freeipa-dc02.ipa.test
ipa_host: freeipa-dc01.ipa.test
- name: Retrieve already existing keytab
community.general.ipa_getkeytab:
path: /etc/ipa/test.keytab
principal: HTTP/freeipa-dc02.ipa.test
ipa_host: freeipa-dc01.ipa.test
retrieve_mode: true
- name: Force keytab recreation
community.general.ipa_getkeytab:
path: /etc/ipa/test.keytab
principal: HTTP/freeipa-dc02.ipa.test
ipa_host: freeipa-dc01.ipa.test
force: true